kadmin-remctl 3.3

kadmin-remctl is a remctl wrapper around the kadmin protocol that we use
at Stanford to provide an easier API to Kerberos administration (for Java
applications in particular, but also somewhat for humans) and to use a
finer-grained ACL than Kerberos kadmin provides.

This package is still kind of a mess, with some Stanford-specific bits and
a whole lot of messy Perl code, but we had some serious bugs that I needed
to deal with. So this is mostly a bug-fix release without the
much-delayed cleanup. (More on that in a moment.)

The primary problem this release addresses is a very annoying network
problem that we've been having at Stanford. Some interaction between our
new OpenFlow fabric and our current firewalls causes some number of TCP
connections to just be dropped under heavy load. Since we do a lot
of kadmin queries (although we're working on various caching strategies to
cut down on that), kadmin sees this a lot, which results in failures that
cause user-noticable problems in various applications. After some
experimentation, though, we found that most of the failures were on the
original connection, so catching connection failure and retrying works
around most of the problem (at the cost of a delay).

That was only the beginning of the odyssey, however. When I added the
retry code, I found that we were improperly configuring Heimdal::Kadm5 to
actually throw exceptions. And then, even after fixing that, I found that
error messages were still printed to standard error. It turns out that
the underlying Heimdal libraries print warnings to standard error by
default unless the application directs the log messages somewhere else,
and Heimdal::Kadm5 doesn't have a look available to do that. So I ended
up adding a bunch of ugly code to close standard error while doing the
initial connection.

This release also cleans up a bunch of the error handling, including going
back to the behavior that the code always should have had: check_passwd
returns a non-zero status if the password is rejected. I lost an argument
with a co-worker about that years ago, but they've since left and I still
think that's the right thing to do. The new code also uses IPC::Run to
run commands, which makes for much shorter and saner code, and improves
error reporting when trying to change the password of a disabled account
with Heimdal's kpasswd. It also strips whitespace from the username in
passwd_change.

At some point, I'm going to rewrite this software completely, but what
that really needs is a much saner underlying Kerberos module. One of the
problems with all existing Kerberos Perl modules is that they all use
various hacks to try to build with different Kerberos libraries within the
ExtUtils::MakeMaker framework, which is totally inadequate. (That's also
why there aren't any Perl modules linked with the server version of the
kadmin libraries, so they're all painfully slow and require a keytab even
when running directly on the KDC.)

I think the answer is a brand new Perl module that incorporates my
portability layer on top of Kerberos libraries and a configure script that
does proper probing for Kerberos library functionality, and then
integrates that Autoconf probing into a Module::Build infrastructure.
There are some bits on CPAN that one could start with, but not all the
proper glue, so this is a bit of a project. I also have to figure out how
to link different extensions in the project with different libraries,
since having separate distributions for the server and client kadmin
modules (which share 95% of their code) is dumb, but they have to be
separately linked with the appropriate library.

Sometime, when I have some time, I'll do that, and then rebuild a remctl
interface on top of that infrastructure with a much better protocol.